On Sun, Oct 14, 2018 at 12:05 PM Giorgio Biondi <[email protected]> wrote:
> Hi, > > I have a problem on my mailserver with ossec: I have see some brute force > attack but ossec don't react at this log. > I have try with logtest tools.. and 'no decoder match' is returned.. but > in my ossec installation have rules for dovecot.. > > Somebody have hint? > > see this: > > [root@mailserver bin]# ./ossec-logtest > 2018/10/14 16:12:27 ossec-testrule: INFO: Reading local decoder file. > 2018/10/14 16:12:27 ossec-testrule: INFO: Started (pid: 32967). > ossec-testrule: Type one log per line. > > > Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: > Disconnected (auth failed, 1 attempts in 6 secs): user=< > [email protected]>, me thod=PLAIN, > rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H> > Are there really 2 timestamps in the log message? > > **Phase 1: Completed pre-decoding. > full event: 'Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 > imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=< > [email protected]>, me thod=PLAIN, > rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>' > hostname: 'mailserver' > program_name: '(null)' > log: 'dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth > failed, 1 attempts in 6 secs): user=<[email protected]>, me > thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, > session=<bwpymTB4VdBU8R8H>' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
